Opening port 3306 to the public internet is generally considered a significant security risk. MySQL was not originally designed with internet-scale threats in mind, and exposing it directly can make your database vulnerable to:
- Brute force attacks against weak credentials
- Zero-day exploits in MySQL server
- Denial-of-service attacks
- Man-in-the-middle attacks (without SSL)
Consider these more secure alternatives before deciding to expose MySQL:
// Example SSH tunnel command (Linux/Mac)
ssh -L 3306:localhost:3306 user@your-database-server.com -N
# Windows users can use Putty to create similar tunnels
# Configure local port 3306 to forward to remote 3306When absolutely necessary, implement these security measures:
# MySQL my.cnf security configuration
[mysqld]
bind-address = 127.0.0.1 # Only listen locally by default
skip-networking # Disable TCP/IP connections entirely
# When enabling remote access:
bind-address = your.server.ip
require_secure_transport = ON
ssl-ca = /path/to/ca.pem
ssl-cert = /path/to/server-cert.pem
ssl-key = /path/to/server-key.pemIf you proceed with opening the port, configure your firewall with these rules:
# Example iptables rules for MySQL access
iptables -A INPUT -p tcp --dport 3306 -s trusted.ip.here -j ACCEPT
iptables -A INPUT -p tcp --dport 3306 -j DROP
# For dynamic IP users (using fail2ban):
fail2ban-client set mysql-auth banip <attacker-ip>
fail2ban-client set mysql-auth unbanip <attacker-ip>Once implemented, continuous monitoring is crucial:
# Sample monitoring query for connection attempts
SELECT user, host, db, command, time
FROM information_schema.processlist
WHERE command = 'Connect';
# Log analysis command
grep 'Access denied' /var/log/mysql/error.log | awk '{print $NF}' | sort | uniq -c | sort -nFor remote workers with dynamic IPs, a VPN solution is vastly superior:
# Example OpenVPN server config
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"Opening port 3306 to the public internet is generally considered unsafe practice. MySQL has historically been targeted by brute-force attacks, with Shodan.io showing over 3 million exposed MySQL instances worldwide. Common attack vectors include:
- Credential stuffing attacks using default or weak passwords
- Exploits against older MySQL versions (like CVE-2012-2122 auth bypass)
- Denial-of-service attacks against the MySQL protocol
Before considering opening port 3306, evaluate these alternatives:
# SSH Tunnel Example (works with any MySQL client):
ssh -L 63306:localhost:3306 user@your-db-server.com
# Then connect your client to localhost:63306Other options include:
- VPN connections to the ISP's network
- SSH port forwarding (as shown above)
- MySQL over SSL with client certificate authentication
- Using a bastion host or jump server
If you must open port 3306, implement these security measures:
-- MySQL user creation with IP restriction and SSL requirement
CREATE USER 'remote_user'@'192.168.1.%' IDENTIFIED BY 'StrongPassword!123';
GRANT ALL PRIVILEGES ON dbname.* TO 'remote_user'@'192.168.1.%' REQUIRE SSL;
FLUSH PRIVILEGES;Essential configurations for my.cnf:
[mysqld]
bind-address = 0.0.0.0
ssl-ca = /etc/mysql/ca-cert.pem
ssl-cert = /etc/mysql/server-cert.pem
ssl-key = /etc/mysql/server-key.pem
skip_name_resolve = ON
local_infile = OFF
secure_file_priv = NULLWhen configuring your firewall:
# iptables example allowing only specific IP ranges
iptables -A INPUT -p tcp --dport 3306 -s 203.0.113.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 3306 -j DROPAdditional protections:
- Implement fail2ban for MySQL
- Set up rate limiting for connection attempts
- Use cloud provider security groups if applicable
Essential monitoring commands:
# Show current connections
mysqladmin processlist
# Check for failed logins
grep 'Access denied' /var/log/mysql/error.log
# Monitor authentication attempts
tcpdump -i eth0 port 3306 -nRegularly audit your MySQL installation and firewall rules to maintain security.